Verifiable Homomorphic Oblivious Transfer and Private Equality Test - PowerPoint PPT Presentation

Verifiable Homomorphic Oblivious Transfer and Private Equality Test Helger Lipmaa Helsinki University of Technology http://www.tcs.hut.fi/˜helger Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 1

Overview of This Talk • What are Oblivious Transfer and Private Equality Test? • Building Block: Affine Cryptosystems • New (Verifiable) Homomorphic Oblivious Transfer protocols • New (Verifiable) Homomorphic Private Equality Tests • Application: Proxy Verifiable HPET and Auctions Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 2

Overview of This Talk • What are Oblivious Transfer and Private Equality Test? • Building Block: Affine Cryptosystems • New (Verifiable) Homomorphic Oblivious Transfer protocols • New (Verifiable) Homomorphic Private Equality Tests • Application: Proxy Verifiable HPET and Auctions Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 3

� n � -Oblivious Transfer 1 • Sender has private input, database µ = ( µ 1 , . . . , µ n ) • Chooser has private input, index σ ∈ [1 , n ] • Chooser and Sender participate in the two-party protocol • Chooser has private output µ σ • Nothing more will be leaked. If σ �∈ [1 , n ] , chooser gets garbage • Numerous applications in cryptography Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 4

� n � Verifiable -Oblivious Transfer 1 • Sender has private input, database µ = ( µ 1 , . . . , µ n ) • Chooser has private input, index σ ∈ [1 , n ] • Chooser and Sender participate in the two-party protocol • Chooser has private output µ σ and commitments to µ i for i ∈ [1 , n ] • Nothing more will be leaked • Numerous applications in cryptography Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 5

� n � Verifiable -Oblivious Transfer 1 • Sender has private input, database µ = ( µ 1 , . . . , µ n ) • Chooser has private input, index σ ∈ [1 , n ] • Chooser and Sender participate in the two-party protocol • Chooser has private output µ σ and commitments to µ i for i ∈ [1 , n ] • Nothing more will be leaked. If σ �∈ [1 , n ] , chooser gets garbage • Numerous applications in cryptography Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 6

Private Equality Test • Sender has private input, W Sen • Chooser has private input, W Cho • Chooser and Sender participate in the two-party protocol • Chooser has private output [ W Sen = W Cho ] (one bit) • Nothing more will be leaked. Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 7

Verifiable Private Equality Test • Sender has private input, W Sen • Chooser has private input, W Cho • Chooser and Sender participate in the two-party protocol • Chooser has private output [ W Sen = W Cho ] (one bit) and a commit- ment to W Sen • Nothing more will be leaked Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 8

Overview of This Talk • What are Oblivious Transfer and Private Equality Test? • Building Block: Affine Cryptosystems • New (Verifiable) Homomorphic Oblivious Transfer protocols • New (Verifiable) Homomorphic Private Equality Tests • Application: Proxy Verifiable HPET and Auctions Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 9

Affine Cryptosystems, 1/4 • A public-key cryptosystem is a triple Π = ( G Π , E, D ) of key genera- tion, encryption and decryption algorithms • Denote the plaintext space by M Π ( x ) , where x is the private key • R Π ( x ) is the randomness space and C Π ( x ) is the ciphertext space • Π is homomorphic: E K ( m 1 ; r 1 ) E K ( m 2 ; r 2 ) = E K ( m 1 + m 2 ; r 1 ◦ r 2 ) Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 10

Affine Cryptosystems, 2/4 • For two random variables (distributions) X and Y over discrete support U , define their statistical difference as ∆ ( X || Y ) := max S ⊆ U | Pr[ X ∈ S ] − Pr[ Y ∈ S ] | . • Π is ε -affine if there exist two PPT algorithms ( S, T ) , s.t. for any pair of private and public keys ( x, K ) , � S (1 k , K ) a + b || T (1 k , K ) � max ≤ ε k . a,b ∈M Π ( x ) ,a � =0 ∆ Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 11

Affine Cryptosystems, 3/4 • Π is perfectly affine if it is 0 -affine and statistically affine if it is (1 / 2 − ε ) -affine. • Π is computationally affine if it is affine w.r.t. any a, b that can be effi- ciently generated Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 12

Affine Cryptosystems, 4/4 • Π is perfectly affine if M Π ( x ) is a cyclic group of known order • Π is computationally affine if M Π ( x ) is a cyclic group, where it is hard for the decrypter to factor |M Π ( x ) | • If decrypter can factor M Π ( x ) then Π is not affine! • Perfectly affine: ElGamal • Computationally affine: ⋆ Damg˚ ard-Jurik [DJ03], Bresson-Catalano-Pointcheval Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 13

Overview of This Talk • What are Oblivious Transfer and Private Equality Test? • Building Block: Affine Cryptosystems • New (Verifiable) Homomorphic Oblivious Transfer protocols • New (Verifiable) Homomorphic Private Equality Tests • Application: Proxy Verifiable HPET and Auctions Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 14

Aiello-Ishai-Reingold OT Protocol AIR Assume that Π = ( G Π , E, D ; S, T ) is a perfectly affine homomorphic cryptosystem Chooser Sender ( x, K ) ← G Π ( x ) r ← R R Π ( x ) c ← E K ( σ ; r ) ( K, c ) For i ∈ [1 , n ] do s i ← Z |M Π ( x ) | r i ← R Π ( x ) c i ← E K ( µ i + s i ( i − σ ); r s i ◦ r i ) ( c 1 , . . . , c n ) µ σ ← D K ( c σ ) Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 15

The New Homomorphic OT Protocol HOT Assume that Π = ( G Π , E, D ; S, T ) is an affine homomorphic cryptosys- tem Chooser Sender ( x, K ) ← G Π ( x ) r ← R R Π ( x ) c ← E K ( σ ; r ) ( K, c ) For i ∈ [1 , n ] do s i ← Z |M Π ( x ) | r i ← R Π ( x ) c i ← E K ( µ i + s i ( i − σ ); r s i ◦ r i ) ( c 1 , . . . , c n ) µ σ ← D K ( c σ ) Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 16

Comparison • When Π is perfectly affine, HOT=AIR: perfect sender-privacy • When Π is computationally affine: computational sender-privacy ⋆ AIR was not defined for composite |M Π ( x ) | • If Π is not affine, sender-privacy can be trivially broken Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 17

Weak sender-privacy • There are many homomorphic cryptosystems that are not affine • It would be nice to extend HOT to such PKCs • Idea: weaken the security requirement Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 18

� n � -Oblivious Transfer: Weak Security 1 • Sender has private input, database µ = ( µ 1 , . . . , µ n ) . Chooser has private input, index σ ∈ [1 , n ] • Chooser has private output µ σ • Nothing more will be leaked • If σ �∈ [1 , n ] , chooser gets some information about one element µ i , i ∈ [1 , n ] • Sufficient in many applications (i.e., pay per view) Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 19

Weak Sender-Privacy of HOT Theorem. HOT is weakly sender-private if the smallest prime divisor of |M Π ( x ) | is ≥ n . Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 20

Weak Sender-Privacy of HOT Theorem. HOT is weakly sender-private if the smallest prime divisor of |M Π ( x ) | is ≥ n . Π Security Weak security ElGamal Perfect Perfect DJ03 Computational Perfect DJ01 — Perfect Paillier — Perfect Naccache-Stern — Perfect (possibly) Okamoto-Uchiyama — Perfect (possibly) Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 21

Verifiable Homomorphic OT Protocol VHOT Assume that Π = ( G Π , E, D ; S, T ) is an affine homomorphic cryp- tosystem, Γ = ( G Γ , C ) is a homomorphic commitment scheme, tr : M Π ( x ) → R Γ (˜ x ) and retrieve : C ˜ K ( m ; 1) �→ m Chooser Sender x, ˜ ( x, K ) ← G Π (1 k ) , (˜ K ) ← G Γ (1 k ) r ← R R Π ( x ) c ← E K ( σ ; r ) ( K, ˜ K, c ) m i ← T (1 k , K ) , s i ← S (1 k , K ) For i ∈ [1 , n ] do r i ← R Π ( x ) c i ← C ˜ K ( µ i ; tr ( m i )) v i ← E K ( m i + s i ( i − σ ); r s i ◦ r i ) ( c 1 , v 1 , . . . , c n , v n ) K (0; tr ( D K ( v σ )) − 1 )) µ σ ← retrieve ( c σ · C ˜ Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 22

Security of the VHOT protocol • Perfectly sender-private when Γ is perfectly hiding, tr is injection, |M Π | = |R Γ | is a prime • Statistically sender-private when Γ is statistically hiding, |M Π | ≈ |R Γ | , . . . • Perfect privacy: Π is ElGamal and Γ is Pedersen (with the same plain- text group) Drawback: retrieve : g m → m involves computation of discrete loga- rithm (ok if m is known to be small) • Statistical privacy: Π is ElGamal and Γ is CGHN [CGHN01], then retrieve is an efficient function Asiacrypt 2003, 03.12.2003 Verifiable Homomorphic OT and PET, Helger Lipmaa 23